On September 18, the U.S. State Department confirmed that one of its email systems was attacked. It didn't follow up with many details—except to say that the personal information of some of its employees could have been compromised.

The U.S. government has been a hot target for hackers for a while. In late 2014, Russian hackers and the NSA fought for control of State Department servers. This rolled over into the 2016 presidential campaign, with evidence supporting Russian meddling with DNC servers.

In 2009, a breach affected 76 million National Archives and Records Administration (NARA) records. Three years prior, the U.S. Department of Veterans Affairs was hacked, exposing 26.5 million accounts.

Why does history keep repeating itself? Why hasn't the U.S. government been able to secure its user data?

If the State Department isn't setting high standards, where can teams look for expert guidance on securing sensitive personal data? This piece highlights gaps in current practices and provides examples of what innovative teams like Reddit and Instagram are doing to raise the bar.

Where the State Department (and Other Teams) Fall Short in Securing Personal Data

By many accounts, the U.S. State Department has fallen short in managing its sensitive data. A lack of two-factor authentication (2FA) is one reason it's not up to date. We'll dig into this in just a minute.

The State Department also doesn't have a strong record of communication surrounding data breaches.

The email noted that “activity of concern . . . affecting less than 1% of employee inboxes” had been detected and that steps had been taken “to secure [the] system.”

The State Department also determined that “certain employees' personally identifiable information (PII) may have been exposed” and said that those affected had been notified.

This leaves several questions unanswered: How many accounts were actually compromised? What data was taken? What is the State Department doing to be sure this doesn't happen again? The lack of clarity isn't helpful to anyone involved.

Following the email breach, the department “convened a task force to examine the incident” but didn't reach a conclusion, according to Politico.

With a growing number of data breaches (more than 580 million exposed records in the past five years), it's hard for all organizations — in both the public and the private sector — to keep pace. Yet a few teams are managing to outshine the rest. Leaders across industries should take note.

Take a page from Reddit

Reddit found out about the breach on June 19, 2018. It had occurred between one and five days prior, and Reddit published this information shortly after.

The statement was timely and thorough. The company outlined exactly how the attack occurred (a vulnerability in its SMS 2FA software), what the hacker was able to access (read-only access to Reddit backup data, source code, and other logs), and what the website has been done to fix things (lock down and rotate all production secrets and API keys and enhance its other security systems).

Although divulging any security attack isn't pleasant, the level of detail that Reddit provided helped rebuild trust in its team and deliver a measure of ease in a stressful situation.

You don't have to be a billion-dollar company like Reddit to take note of these strategies. Teams of all sizes can and should invest in updating their security practices.

Instagram Steps Up with Two-Factor Authentication

Reddit is one good example of how to handle a data breach. Instagram is also stepping up its game in this arena by introducing two-factor authentication for its users.

The new security log-ins specifically help guard against SIM swapping, which has been rampant on Instagram lately. In a SIM swap (also called a SIM hijack or a port-out scam), criminals target Instagram users with short or unique usernames. They're able to steal the victims' accounts by obtaining their cell-phone numbers. This allows them to reset passwords on any account linked to that number.

Instagram Could Drive Greater Adoption of 2FA

A recent study shows that 2FA adoption still hovers below 30% — and over 90% of Gmail users still haven't adopted 2FA, despite its numerous security benefits. Because two-factor authentication requires a second form of identification (e.g., a phone or another hardware device, such as a USB drive; or a biometric, such as a thumbprint or facial recognition), it decreases the chances that an attacker can impersonate a user.

The issue with 2FA is that getting comfortable with it is difficult. Users usually have to navigate to turn it on themselves. This can often be a very technical process that turns less advanced users off. They prefer to stick with what they know.

The more comfortable Instagram users become with 2FA, the more likely they are to adopt it in their other apps.

Time to Make Updates

Taking steps to improve your security, no matter what your size or industry, is essential. Whether this is by incorporating two-factor authentication, improving communications around a recent incident (or in preparing for one), or outsourcing some or all of your needs for advanced identity and access management, you can (and must) start somewhere.

In today’s rapidly evolving threat environment, with an increasing number of incidents and accounts compromised, keeping yourself informed and taking advantage of new tools and features will help secure your users as you grow.

About Auth0

Auth0, a global leader in Identity-as-a-Service (IDaaS), provides thousands of enterprise customers with a Universal Identity Platform for their web, mobile, IoT, and internal applications. Its extensible platform seamlessly authenticates and secures more than 1.5B logins per month, making it loved by developers and trusted by global enterprises. The company's U.S. headquarters in Bellevue, WA, and additional offices in Buenos Aires, London, Tokyo, and Sydney, support its customers that are located in 70+ countries.